-**Microsoft Security Resources**: From antimalware to Zero Trust, get all the relevant resources for your organization's security needs. [Visit Resources](/security/business).

-Purging of SharePoint, OneDrive for work or school, and Teams files DEPs is not supported in Customer Key. These multi-workload DEPs are used to encrypt data across multiple workloads across all tenant users. Purging such a DEP would result in data from across multiple workloads becoming inaccessible. If you decide to exit Microsoft 365 services altogether, you could pursue the path of tenant deletion per the documented process. See how to [delete a tenant in Azure Active Directory](/azure/active-directory/enterprise-users/directory-delete-howto).

-| **OCSP URLs** | http://root-c3-ca2-2009.ocsp.d-trust.net |

-| **OCSP URLs** | http://root-c3-ca2-ev-2009.ocsp.d-trust.net |

-| **CRL URLs** | http://crl.globalsign.net/root-r2.crl |

-| **OCSP URLs** | http://ocsp.globalsign.com/rootr2 |

-| **AIA URLs** | https://cacert.omniroot.com/baltimoreroot.crt<br>https://cacert.omniroot.com/baltimoreroot.der |

-<https://cacert.omniroot.com/baltimoreroot.crt><br>

-<https://cacert.omniroot.com/baltimoreroot.der><br>

-Escalate the case for user investigation in situations where additional legal review is needed for the user's risk activity. This escalation opens a new Microsoft Purview eDiscovery (Premium) case in your Microsoft 365 organization. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external legal investigations. It also lets your legal team manage the entire legal hold notification workflow to communicate with custodians involved in a case. Assigning a reviewer as a custodian in an eDiscovery (Premium) case created from an insider risk management case helps your legal team take appropriate action and manage content preservation. To learn more about eDiscovery (Premium) cases, see [Overview of Microsoft Purview eDiscovery (Premium)](overview-ediscovery-20.md).

- Alternatively, and if you don't have access to the **Records management** solution, you can use *AllowFilesWithKeepLabelToBeDeletedSPO* and *AllowFilesWithKeepLabelToBeDeletedODB* from [Get-PnPTenant](/powershell/module/sharepoint-pnp/get-pnptenant) and [Set-PnPTenant](/powershell/module/sharepoint-pnp/set-pnptenant).

-For our example, we're going to create an explanation that provides a hint about the entity format itself and variations it might have in the sample documents. For example, a date value can be in a number of different formats, such as:

-To help identify the *Service Start Date* you can create a pattern explanation.

-If you receive a match on your labeled sample files, you can now test your model on the remaining unlabeled example files. This is optional, but a useful step to evaluate the "fitness" or readiness of the model before using it, by testing it on files the model hasn't seen before.

-1. From the model home page, select the **Test** tab. This runs the model on your unlabeled sample files.

-### Further refine an extractor

-2. The first time you use this feature, you are activating SharePoint Syntex on your site. You'll see the following message.

-Microsoft 365 Lighthouse supports reprovisioning Cloud PCs that have a provisioning policy. You may need to reprovision a device for a new user or if the device isn't working properly. When a reprovision is triggered, the Cloud PC will be deleted and recreated as a new Cloud PC. All user data, applications, customizations, and the like will be deleted.

-Scheduling Preferences

-======================

-Scheduler takes into account several Outlook preferences to schedule a meeting for an organizer. Any changes to their preference settings via Outlook clients will automatically be reflected in how Scheduler handles the subsequent requests sent to Cortana. For instance, if an organizer changes their time zone preference on the Settings page in Outlook Web, all subsequent requests by the organizer will default to the new time zone value.

-Supported Settings

-Time zone

-The time zone used when determining an appropriate time to schedule meetings. See [Add, remove, or change time zones](https://support.microsoft.com/en-us/office/add-remove-or-change-time-zones-5ab3e10e-5a6c-46af-ab48-156fedf70c04) documentation.

-Work hours and days

-For most meeting types, Scheduler will schedule a time according to the organizer's work week and meeting hours preferences. See [Change your work hours and days in Outlook](https://support.microsoft.com/en-us/office/change-your-work-hours-and-days-in-outlook-a27f261d-0681-415f-8ac1-388ab21e833f) documentation.

-Online meetings

-You can turn on a Calendar option so that all the meetings you schedule from Outlook and Scheduler will be held online with conference details. Scheduler currently supports Teams and Skype as meeting providers. See [Make all meetings Teams meetings](https://support.microsoft.com/en-us/office/schedule-a-teams-meeting-from-outlook-883cc15c-580f-441a-92ea-0992c00a9b0f#bkmk_makeallteamsmtngs) documentation.

-Default meeting duration

-If the organizer does not specify the desired meeting duration in the request, Scheduler will use the preferred meeting duration for the request. This setting is only available in the Windows Outlook client.

-1. Click on **File** > **Options** 

-2. Select **Calendar** in the **Navigation Pane**.

-3. The default duration setting is located under **Calendar** **Options**.

-

-Avoid back-to-back meetings

-Outlook now has a setting that automatically starts meetings late or ends meetings early to avoid back-to-back meetings. If set, Scheduler will also shorten the meeting duration according to the preference setting. See [Change default meeting length](https://techcommunity.microsoft.com/t5/hybrid-work/change-default-meeting-length-in-outlook-avoid-back-to-back/m-p/1247361) in Outlook documentation.

-Additional Note

-===============

-

-For more information about Zero Trust, see Microsoft's [_**Zero Trust Guidance Center**_](/security/zero-trust).

-During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how [Microsoft Defender for Endpoint](/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center**.

-## (NEW!) A unified Action center

-We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))!

-> [!TIP]

-> To learn more, see [Requirements](/microsoft-365/security/mtp/prerequisites).

-When you visit the Action center, you see two tabs: **Pending actions** and **History**. The following table summarizes what you'll see on each tab:

-|Tab|Description|

-|||

-|**Pending**|Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as **Quarantine file**). <p> **TIP**: Make sure to [review and approve (or reject) pending actions](manage-auto-investigation.md) as soon as possible so that your automated investigations can complete in a timely manner.|

-|**History**|Serves as an audit log for actions that were taken, such as: <ul><li>Remediation actions that were taken as a result of automated investigations</li><li>Remediation actions that were approved by your security operations team</li><li>Commands that were run and remediation actions that were applied during Live Response sessions</li><li>Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus</li></ul> <p> Provides a way to undo certain actions (see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions)).|

-You can customize, sort, filter, and export data in the Action center.

-<br>

-****

-|

-> Check out the new, unified investigation page in the Microsoft 365 Defender portal. To learn more, see [(NEW!) Unified investigation page](/microsoft-365/security/defender/m365d-autoir-results#new-unified-investigation-page).

-Your organization must have Defender for Endpoint (see [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)).

-Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.

-The following table describes each level of automation and how it works.

-<br>

-****

-|**Full - remediate threats automatically** <br> (also referred to as *full automation*)|With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone. <p> ***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*|

-|

-If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](/microsoft-365/security/defender-endpoint/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations).

-1. As a global administrator or security administrator, go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.

-1. In the Microsoft 365 Defender portal (<https://security.microsoft.com>), on the **Settings** page, under **Permissions**, select **Device groups**.

- - Microsoft Defender Antivirus functional troubleshooting /application compatibility (false positive application blocks).

- - Microsoft Defender Antivirus performance troubleshooting by using the troubleshooting mode and manipulating tamper protection and other antivirus settings.

- - Local admins won't be able to turn off Microsoft Defender Antivirus, or uninstall it.

- - Local admins will be able to configure all other security settings in the Microsoft Defender Antivirus suite (for example, cloud protection, tamper protection).

- - Snapshot of `MpPreference` will be taken before troubleshooting mode begins.

- - Second snapshot will be taken just before troubleshooting mode expires.

- - Operational logs from during troubleshooting mode will also be collected.

- - All the above logs and snapshots will be collected and will be available for an admin to collect using the [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) feature on the device page. Note that Microsoft won't remove this data from the device until an admin collects them.

-1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com), and sign in.

-3. Confirm you want to turn on troubleshooting mode for the device.

-

-4. The device page shows the device is now in troubleshooting mode.

-let deviceName = "<device name>"; // update with device name

-let deviceId = "<device id>"; // update with device id

-search in (DeviceEvents)

-(DeviceName == deviceName

-) and ActionType == "AntivirusTroubleshootModeEvent"

-| extend _tsmodeproperties = parse_json(AdditionalFields) 

-| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,

- _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,

- _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,

- _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource

-### Devices currently in troubleshooting mode 

-search in (DeviceEvents)

-ActionTypeΓÇ»==ΓÇ»"AntivirusTroubleshootModeEvent"

-| extend _tsmodeproperties = parse_json(AdditionalFields) 

-| where Timestamp > ago(3h)

-| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"

-|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId

-search in (DeviceEvents)

-ActionTypeΓÇ»==ΓÇ»"AntivirusTroubleshootModeEvent"

-| extend _tsmodeproperties = parse_json(AdditionalFields) 

-| where Timestamp > ago(30d)  // choose the date range you want

-| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"

-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId

-| sort by count_

-search in (DeviceEvents)

-ActionTypeΓÇ»==ΓÇ»"AntivirusTroubleshootModeEvent"

-| extend _tsmodeproperties = parse_json(AdditionalFields) 

-| where Timestamp > ago(2d) //beginning of time range

-| where Timestamp < ago(1d) //end of time range

-| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"

-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() 

-| where count_ > 5          // choose your max # of TS mode instances for your time range

- - Scope - Define the scope of the device group.

-<br>

-****

-|<ul><li>Automated investigation</li><li>Microsoft Defender Antivirus</li><li>Manual response actions</li></ul>|<ul><li>Isolate device</li><li>Restrict code execution</li><li>Quarantine a file</li><li>Remove a registry key</li><li>Stop a service</li><li>Disable a driver</li><li>Remove a scheduled task</li></ul>|

-|

-<br>

-****

-|**Full - remediate threats automatically** (the recommended setting)|A verdict of *Malicious* is reached for a piece of evidence. <p> Appropriate remediation actions are taken automatically.|[Review completed actions](#review-completed-actions)|

-|

-In Microsoft Defender for Endpoint, all verdicts are tracked in the [Action center](auto-investigation-action-center.md#new-a-unified-action-center).

- > If you're using Defender for Business, scoping does not apply. Skip this step and proceed to step 5.

- - NOCSH

- - MET150

- - M365-security-compliance

- - m365initiative-defender-office365

-description: Admins can learn about the built-in anti-spam and anti-malware protection that's available in Exchange Online Protection (EOP).

-# Anti-spam and anti-malware protection in EOP

-**Applies to**

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam and malware by EOP.

-Spam is unsolicited and unwanted email. Malware is viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware is a specific type of malware that gathers your personal information (for example, sign-in information and personal data) and sends it back to the malware author.

-EOP has built-in inbound and outbound malware filtering to help protect your organization from malicious software, and built-in spam filtering to help protect your organization from both receiving and sending spam (for example, in case of compromised accounts). Admins don't need to set up or maintain the filtering technologies because they're enabled by default. However, you can customize the settings based on the needs of your organization.

-> [!NOTE]

-> If you use SharePoint Online, anti-malware protection is also automatically provided for files that are uploaded and saved to document libraries. This protection is provided by the Microsoft anti-malware engine that's also integrated into Exchange. This anti-malware service runs on all SharePoint Online Content Front Ends (CFEs).

-## Anti-malware protection in EOP

-The following table contains links to topics that explain how anti-malware protection works in EOP, and how you can fine-tune your anti-malware configuration settings to best meet the needs of your organization.

-|Topic|Description|

-|||

-|[Anti-malware protection in EOP](anti-malware-protection.md)|Provides overview information about how the service offers multi-layered malware protection that's designed to catch all known malware traveling to or from your organization.|

-|[Anti-malware protection FAQ](anti-malware-protection-faq-eop.yml)|Provides a detailed list of frequently asked questions and answers about anti-malware protection in the service.|

-|[Configure anti-malware policies in EOP](configure-anti-malware-policies.md)|Describes how to configure the default company-wide anti-malware policy, as well as create custom anti-malware policies that you can apply to specified users, groups, or domains in your organization.|

-|[Recover from a ransomware attack](recover-from-ransomware.md)||

-|[Virus detection in SharePoint Online](virus-detection-in-spo.md)|

-## Anti-spam protection in EOP

-The following table contains links to topics that explain how anti-spam protection works in EOP, and how you can fine-tune your anti-spam configuration settings to best meet the needs of your organization.

-|Topic|Description|

-|||

-|[Anti-spam protection in EOP](anti-spam-protection.md)|Provides overview information about the main anti-spam protection features included in the service.|

-|[Anti-spam protection FAQ](anti-spam-protection-faq.yml)|Provides frequently asked questions and answers about anti-spam protection.|

-|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)|Provides information about how you can configure anti-spam policies (also known as spam filter policies or content filter policies). You can configure the default company-wide anti-spam policy or create custom anti-spam policies that apply to specific users, groups, or domains in your organization.|

-|[Configure connection filtering](configure-the-connection-filter-policy.md)|Shows how you can add source IP address to the IP Allow List and the IP Block List in the default connection filter policy.|

-|[Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md)|Learn the recommended methods to keep good messages from being identified as spam.|

-|[Create blocked sender lists in EOP](create-block-sender-lists-in-office-365.md)|Learn the recommended methods to block bad messages that aren't being correctly identified as spam.|

-|[Spam confidence level (SCL) in EOP](spam-confidence-levels.md)|Learn about the spam determination of spam filtering.|

-|[Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md)|Learn about the threshold that determines whether bulk email is spam.|

-|[What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md)|Explains the difference between junk email and bulk email messages the controls that are available for both in EOP.|

-|[Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md)|Learn about the organization settings and mailbox-specific settings that determine whether mail is moved into the Junk Email folder.|

-|[Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl)|Learn how to use mail flow rules (also known as transport rules) to set the SCL in messages before spam filtering.|

-|[Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md)|Learn about the ASF settings that are available in anti-spam policies.|

-### Outbound spam protection in Exchange Online

-The following table contains links to topics that explain how outbound spam protection works for Exchange Online mailboxes.

-|Topic|Description|

-|||

-|[Outbound spam protection in EOP](outbound-spam-controls.md)||

-|[Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md)|Shows how to configure outbound spam policies, which contain settings that help make sure your users don't send spam through the service.|

-|[High-risk delivery pool for outbound messages](high-risk-delivery-pool-for-outbound-messages.md)||

-|[Remove blocked users from the Restricted Users portal in Office 365](removing-user-from-restricted-users-portal-after-spam.md)||

-## Common protection technologies

-The following table contains links to topics that explain settings that are common to anti-malware and anti-spam protection.

-|Topic|Description|

-|||

-|[Anti-spam message headers](anti-spam-message-headers.md)|Describes the anti-spam fields placed in Internet headers, which can help provide administrators with information about the message and about how it was processed.|

-|[Order and precedence of email protection](how-policies-and-protections-are-combined.md)||

-|[Zero-hour auto purge (ZAP) - protection against spam and malware](zero-hour-auto-purge.md)||

-|[Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md)||

-|[Use the delist portal to remove yourself from the Microsoft 365 blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md)||

-description: Learn about Safe Documents in Microsoft 365 E5/A5 or Microsoft 365 E5/A5 Security.

-# Safe Documents in Microsoft 365 E5/A5

-Safe Links is a feature in [Defender for Office 365](defender-for-office-365.md) that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular [anti-spam and anti-malware protection](anti-spam-and-anti-malware-protection.md) in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.

-If you're not a customer, but are trying to send mail to someone in who is, you're in the right place. If you're an administrator and you need help with fighting spam, this isn't the right section for you. Instead, go to [Anti-spam and anti-malware protection in Microsoft 365](anti-spam-and-anti-malware-protection.md).

-|Services provided to administrators of email systems that are sending individual and bulk email to customers.|[Services for non-customers sending mail to Office 365](services-for-non-customers.md)|

-|How you, an administrator sending email to Microsoft 365 customers, can avoid having email blocked by adhering to our anti-spam policies. This is the legal stuff you need to know.|[Reference: Policies, practices, and guidelines](reference-policies-practices-and-guidelines.md)|

-[Anti-spam and anti-malware protection in EOP](anti-spam-and-anti-malware-protection.md)

-If you are not seeing data in your Defender for Office 365 reports, double-check that your policies are set up correctly. Your organization must have [Safe Links policies](set-up-safe-links-policies.md) and [Safe Attachments policies](set-up-safe-attachments-policies.md) defined in order for Defender for Office 365 protection to be in place. Also see [Anti-spam and anti-malware protection](anti-spam-and-anti-malware-protection.md).

-|1|Configure starting-point Zero Trust identity and device access policies|Work with your identity administrator to [Implement Level 2 App Protection Policies (APP) data protection](manage-devices-with-intune-app-protection.md). These policies do not require that you manage devices. You configure the APP policies in Intune. Your identity admin configures a Conditional Access policy to require approved apps.|E3, E5, F1, F3, F5|

-|2|Enroll devices to Intune|This task requires more planning and time to implement. Microsoft recommends using Intune to enroll devices because this tool provides optimal integration. There are several options for enrolling devices, depending on the platform. For example, Windows devices can be enrolled by using Azure AD Join or by using Autopilot. You need to review the options for each platform and decide which enrollment option is best for your environment. See [Step 3ΓÇöEnroll devices to Intune](manage-devices-with-intune-enroll.md) for more information.|E3, E5, F1, F3, F5|

-|3|Configure compliance policies|You want to be sure devices that are accessing your apps and data meet minimum requirements, for example devices are password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. [Step 3. Set up compliance policies](manage-devices-with-intune-compliance-policies.md) helps you configure these policies.|E3, E5, F3, F5|

-|4|Configure Enterprise (recommended) Zero Trust identity and device access policies|Now that your devices are enrolled, you can work with your identity admin to [tune Conditional Access policies to require healthy and compliant devices](manage-devices-with-intune-require-compliance.md).|E3, E5, F3, F5|

-|5|Deploy configuration profiles|As opposed to device compliance policies that simply mark a device as compliant or not based on criteria you configure, configuration profiles actually change the configuration of settings on a device. You can use configuration policies to harden devices against cyberthreats. See [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md).|E3, E5, F3, F5|

-|6|Monitor device risk and compliance with security baselines|In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state will be blocked. You can also monitor compliance with security baselines. See [Step 6. Monitor device risk and compliance to security baselines](manage-devices-with-intune-monitor-risk.md).|E5, F5|

-|7|Implement data loss prevention (DLP) with information protection capabilities|If your organization has put the work into identifying sensitive data and labeling documents, you can work with your information protection admin to [protect sensitive information and documents on your devices](manage-devices-with-intune-dlp-mip.md).|E5, F5 compliance add-on|

-This guidance is tightly coordinated with the recommended [Zero Trust identity and device access policies](../security/office-365-security/microsoft-365-policies-configurations.md). You will be working with your identity team to carry through protection that you configure with Intune into Conditional Access policies in Azure AD.

-Note that only Intune is managing devices. Onboarding refers to the ability for a device to share information with a specific service capability. The following table summarizes the differences between enrolling devices into management and onboarding devices for a specific capability.

-|&nbsp;|Enroll|Onboard|

-||||

-|Description|Enrollment applies to managing devices. Devices are enrolled for management with Intune or Configuration Manager.|Onboarding configures a device to work with a specific set of capabilities in Microsoft 365. Currently, onboarding applies to Microsoft Defender for Endpoint and Microsoft compliance capabilities. <br/><br/> On Windows devices, onboarding involves toggling a setting in Windows Defender that allows Defender to connect to the online service and accept policies that apply to the device.|

-|Scope|These device management tools manage the entire device, including configuring the device to meet specific objectives, like security.|Onboarding only affects the capabilities that apply.|

-|Recommended method|Azure Active Directory join automatically enrolls devices into Intune.|Intune is the preferred method for onboarding devices to Windows Defender for Endpoint, and consequently Microsoft Purview capabilities. <br/><br/> Note that devices that are onboarded to Microsoft Purview capabilities using other methods are not automatically enrolled for Defender for Endpoint.|

-|Other methods|Other methods of enrollment depend on the platform of the device and whether it is BYOD or managed by your organization.|Other methods for onboarding devices include, in recommended order: <ul><li>Configuration Manager</li><li>Other mobile device management tool (if the device is managed by one)</li><li>Local script</li><li>VDI configuration package for onboarding non-persistent virtual desktop infrastructure (VDI) devices</li><li>Group Policy</li></ul>|

-Note that the only Yammer activity that will trigger an automatic group renewal is the upload of a document to SharePoint within the community.

-The host organization's [conditional access policies](/azure/active-directory/conditional-access/overview) are applied to external participants, including B2B direct connect users. The external organization's policies are not used. The following types of conditional access policies are supported with shared channels: